CAPGEMINI_REGISTRATION_DOCUMENT_2017

CORPORATE GOVERNANCE - RISKS{AND INTERNAL{CONTROL

2.5 Risks and internal control

1 st line of defense: from management to employees Operations and Business Unit management supplement and adapt the Blue Book drafted by Group Management, by drawing up detailed internal control procedures which comply with the relevant laws, regulations and customary practices in the country where they operate, in order to exercise control more effectively over risks specific to their local market and culture. Operations and Business Unit management duties include the identification and control of risks relating to their own environment, in compliance with the rules and procedures implemented and communicated by the Group functional departments. 2 nd line of defense: function departments with risk expertise The various Group functional departments assist the Risk Committee with the identification and prioritization of risks. Each department defines and rolls out risk control systems in its activity sector and ensures, in particular, the consistency of actions undertaken in the Business Units with these guidelines. It assists all Group entities by facilitating the sharing of risk management and internal control best practice. 3 rd line of defense: internal audit For over 30 years, the Capgemini Group has had a central Internal Audit function. Its Director reports directly to the Chairman and Chief Executive Officer, guaranteeing the internal audit function is independent of the functions and Business Units audited. The internal audit team comprises 33 auditors, representing 10 different nationalities and covering 90% of the languages spoken locally in the Group. This significant internationalization of the internal audit team reflects the desire to accompany the expansion of the Group into new regions of the world; the Internal Audit Department also has a Bombay desk with 18 auditors including 4{technical experts specializing in the review of IT projects. In accordance with professional standards governing this activity, the internal audit function independently assesses the effectiveness of internal control and risk management procedures given that, irrespective of how well they are drafted and how stringently they are applied, these procedures can only provide reasonable assurance - and not an absolute guarantee - against all risks. Internal Audit is therefore tasked with: reviewing the internal control procedures implemented in the X Strategic Business Units and their component legal entities to ensure that they comply with the general principles and rules laid down by the Group and with certain specific procedures enabling the elimination or mitigation of the risks to which they are exposed locally; auditing the Group's major contracts considered to present X significant risk; Internal Audit uses one or more technical experts (Group Delivery Auditors), who are selected from among a list of Group accredited professionals according to their skills (and also their complete independence from the unit being audited).

Each Business Unit is audited in line with a bi-annual program covering the entire Group: the Chairman and Chief Executive Officer has the power to modify this program in the event of an emergency (delays and irregularities, major divergence from budgetary commitments, etc.). At the request of the Chairman and Chief Executive Officer, the Internal Audit Department may also perform special assignments to review specific situations. During 2017, the Internal Audit Department performed: 55 audits of units from all Group Strategic Business Units. Each audit involved an average of 36 man-days in the field and concluded with the issue of an action plan that management of the unit audited undertook to implement as quickly as possible in order to improve or correct the points identified by the audit. Internal Audit uses a tool covering the entire Group and enabling it to monitor real-time the implementation of recommendations following the audit, focusing particularly on priority actions; 3{special assignments following allegations or X whistle-blowing; The Internal Audit Director presents twice annually to the Capgemini SE Board’s Audit & Risk Committee, a comprehensive report on the department's work, particularly regarding internal control efficiency and risk management in the preparation and processing of financial and accounting information. The Ethics & Compliance Department is directly responsible for the ethics and compliance programs and the ethics phase of due diligence assignments on companies that the Group is considering acquiring. These reviews (ethical due diligence) involve an examination, from an ethical stance, of all the activities of the target company in order to ensure, in particular, their compatibility with expectations and ethics controls defined by the Capgemini Group. The Ethics & Compliance Department issued 6 ethical due diligence reports in 2017. The Ethics & Compliance Director presents once annually to the Capgemini SE Board’s Ethics & Governance Committee a specific report on measures implemented under the ethics program and the results of compliance audits of the Group's Code of Business Ethics (in particular the Ethics Code of Conduct, the Group Competition Laws policy and the Group’s anti-corruption policy). Finally, the Ethics & Compliance and Internal Audit Departments may at any moment draw up a special report for presentation to the Chairman and Chief Executive Officer on any matter they consider should be brought to his attention and inform the Audit and Risk Committee and/or the Ethics & Governance Committee where significant deviations have been identified. The risk management and internal control system comes from the interaction between the Risk Committee and other risk players, including the Ethics & Compliance Department, Internal Audit, the Insurance Department, the Business Units and the functional departments, which are responsible for day-to-day risk management in their specific areas.

2

105

REGISTRATION DOCUMENT 2017 — CAPGEMINI